Local fix

Problem summary

The design of the PKCSDerObject.decode( byte<OSB><CSB> der )
method indicates that the byte array being
received may contain either:
- "raw der encoded data", or
- that same "raw der encoded data" encoded as base64
The method first assumes that the data is "raw der encoded data"
and attempts to decode it under that assumption.
If that decoding attempt causes an exception to be thrown "for
any reason", the code blindly assumes that
the exception was caused because the data was actually "base64"
rather than "raw".
It then retries its decoding attempt by first removing the
base64 encoding.
The failure experienced by the customer was caused by an
unanticipated reason. It was caused by an incorrect PKCS#7
ContentType OID within the data being decoded which specified
EnvelopedData, rather than SignedData. This error caused the
EnvelopedData.decode( ) method to get control by accident. From
that point onward, a decoding error of some type was guaranteed.
The decoding exception experienced internally is shown below:
java.io.IOException: Invalid EnvelopedData version (must be 0 or
2).
at
com.ibm.security.pkcs7.EnvelopedData.decode(EnvelopedData.java:4
81)
at
com.ibm.security.pkcsutil.PKCSDerObject.decode(PKCSDerObject.jav
a:283)
at
com.ibm.security.pkcsutil.PKCSDerObject.<init>(PKCSDerObject.jav
a:84)
at
com.ibm.security.pkcs7.Content.<init>(Content.java:68)
at
com.ibm.security.pkcs7.EnvelopedData.<init>(EnvelopedData.java:1
42)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeCons
tructorAccessorImpl.java:67)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Delega
tingConstructorAccessorImpl.java:45)
at
java.lang.reflect.Constructor.newInstance(Constructor.java:522)
at
com.ibm.security.pkcs7.ContentInfo.createDynamicObject(ContentIn
fo.java:258)
at
com.ibm.security.pkcs7.ContentInfo.createContent(ContentInfo.jav
a:672)
at
com.ibm.security.pkcs7.ContentInfo.decode(ContentInfo.java:620)
at
com.ibm.security.pkcsutil.PKCSDerObject.decode(PKCSDerObject.jav
a:283)
at
com.ibm.security.pkcsutil.PKCSDerObject.read(PKCSDerObject.java:
371)
at
com.ibm.security.pkcsutil.PKCSDerObject.<init>(PKCSDerObject.jav
a:135)
at
com.ibm.security.pkcs7.ContentInfo.<init>(ContentInfo.java:392)
at pkcs.SignedDataTest.main(SignedDataTest.java:12)
When the decode method catches the exception above, it assumes
that this exception occurred because the data being decoded was
"base64 encoded" der encoded data. It tries to remove the
base64 encoding before decoding the der encoded data. This
resulted in the following exception which was meaningless in
this case:
java.io.IOException: DerInputStream.getLength(): lengthTag=127,
too big.
at
com.ibm.security.util.DerInputStream.getLength(DerInputStream.ja
va:
715)
at
com.ibm.security.util.DerInputStream.getLength(DerInputStream.ja
va:
689)
at com.ibm.security.util.DerValue.<init>(DerValue.java:254)
at
com.ibm.security.util.DerInputStream.getDerValue(DerInputStream.
java:490)
at
com.ibm.security.pkcsutil.PKCSDerObject.decode(PKCSDerObject.jav
a:
258)
at
com.ibm.security.pkcsutil.PKCSDerObject.read(PKCSDerObject.java:
297)
at
com.ibm.security.pkcsutil.PKCSDerObject.<init>(PKCSDerObject.jav
a:
129)
at
com.ibm.security.pkcs7.ContentInfo.<init>(ContentInfo.java:392)
at pkcs.samples.PKCS7SignedDataUtil.verifySignature
(PKCS7SignedDataUtil.java:83)
at
pkcs.samples.PKCS7SignedDataUtil.main(PKCS7SignedDataUtil.java:1
75)

Problem conclusion

This defect will be fixed in:
6.0.0 SR10
5.0.0 SR13
1.4.2 SR14
.
To help debug future occurrences of this problem, additional
debug tracing has been added to the decode method. It will now
trace the internal exception generated by the first decode
attempt (where "raw" der encoded data is assumed). That
exception will be preceded by the following comment within the
debug trace output:
"The exception shown within the trace data below was thrown by
PKCSDerObject.decode( byte<OSB><CSB> der ) while trying to
decode an object that it assumed was in raw der encoded form.
Either, there is an error within that raw der encoded data which
led to this exception, or the data itself was actually base64
encoded. PKCSDerObject.decode( byte<OSB><CSB> der ) will now
re-attempt the decoding operation.
This time, however, it will assume that the data is also base64
encoded, and will attempt to remove the base64 encoding before
trying to decode the der encoded object. If a second exception
is thrown, then there is likely either a der encoding problem
with the object being decoded
(most likely) or there is a problem with the base64 encoding
(less likely)."
...... exception stack trace here .............
.
To obtain the fix:
Install build 20110308 or later